Enlarge / This is the note that’s left on computers infected by PetyaWrap. (credit: Eset)
A new ransomware attack similar to last month’s self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, reportedly including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 2,000 computers, according to one security company.
PetyaWrap, as some researchers are calling the ransomware, uses the same potent National Security Agency exploit that allowed WCry to paralyze hospitals, shipping companies, and train stations in a matter of hours on May 12. EternalBlue, as the exploit was code-named by its NSA developers, was published in April by a still-unknown group calling itself the Shadow Brokers. The leak gave people with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead. Microsoft patched the underlying vulnerability in Windows 7 and 8.1 in March, and in a rare move the company issued fixes for unsupported Windows versions 24 hours after the WCry outbreak. That meant infections were only possible on machines that were running outdated versions of the OS.
While some researchers said PetyaWrap was a new version of the long-established Petya ransomware, researchers from antivirus provider Kaspersky Lab said that preliminary findings showed it was, in fact, a new piece of malware that had never been seen before. Kaspersky said that it at least 2,000 computers that use its AV products had already been attacked by it.